fixing an integer overflow, which could lead to overwriting the end of a malloced...

author michael <michael@9553f0bf-9b14-0410-a0b8-cfaf0461ba5b>

Fri, 4 Feb 2005 18:58:59 +0000 (18:58 +0000)

committer michael <michael@9553f0bf-9b14-0410-a0b8-cfaf0461ba5b>

Fri, 4 Feb 2005 18:58:59 +0000 (18:58 +0000)
author michael <michael@9553f0bf-9b14-0410-a0b8-cfaf0461ba5b>
Fri, 4 Feb 2005 18:58:59 +0000 (18:58 +0000)
committer michael <michael@9553f0bf-9b14-0410-a0b8-cfaf0461ba5b>
Fri, 4 Feb 2005 18:58:59 +0000 (18:58 +0000)
diff --git a/libavformat/sierravmd.c b/libavformat/sierravmd.c

index 16b6a8d4cccb9fa89a87452b07c0f96d18c6a00b..b1484b560578031a7bb34d32ebe7eac7138a9cf6 100644 (file)
--- a/libavformat/sierravmd.c
+++ b/libavformat/sierravmd.c
@@ -212,7 +212,8 @@ static int vmd_read_header(AVFormatContext *s,
  
          /* if the frame size is 0, do not count the frame and bring the
           * total frame count down */
-        vmd->frame_table[i].frame_size = LE_32(&current_frame_record[2]);
+        // note, we limit the size to 1Gb to ensure that we dont end up overflowing the size integer used to allocate the memory
+        vmd->frame_table[i].frame_size = LE_32(&current_frame_record[2]) & 0x3FFFFFFF; 
  
          /* this logic is present so that 0-length audio chunks are not
           * accounted */
author	michael <michael@9553f0bf-9b14-0410-a0b8-cfaf0461ba5b>
	Fri, 4 Feb 2005 18:58:59 +0000 (18:58 +0000)
committer	michael <michael@9553f0bf-9b14-0410-a0b8-cfaf0461ba5b>
	Fri, 4 Feb 2005 18:58:59 +0000 (18:58 +0000)